This
principle is self-explanatory, but it can’t be said enough—the level of success
is directly connected to the level and depth of research. As discussed in earlier tutorial on Information Gathering, it is the crux of successful social
engineering.
The more information a social engineer holds the more chances he
or she has of developing a pretext that works.
Remember the story I told in Tutorial
- Information Gathering about Attacker (Social Engineer) and how he convinced a
high-level executive to visit his “stamp collection” site online? At first
glance, the path inside that company might have seemed to be something to do
with financial, banking, fund raising, or something along those lines because
it was a banking facility. The more research Attacker (Social Engineer) did, the clearer it became that the pretext could
be a person who was selling a stamp collection. Finding out what the executive’s
interests were allowed Attacker (Social Engineer) to find an easy way into the company, and it
worked.
Sometimes
those little details that are what make the difference. Remember, no information
is irrelevant. While gathering information, looking for stories, items, or
aspects of a personal nature is also a good idea. Using a target’s personal or
emotional attachments can enable you to get a foot in the door. If the social
engineer finds out that every year the CFO donates a sizable sum to a children’s
cancer research center, then a pretext that involves fund raising for this
cause could very likely work, as heartless as it sounds.
The problem
is that malicious social engineers use pretexts that feed on emotions without a
second thought. After the attacks on the Twin Towers in New York City on
September 11, 2001, many malicious hackers and social engineers used the losses
of these people to raise funds for themselves via websites and emails that
targeted people’s computers and fake fund raisers that obtained funds from
those with a giving heart. After the earthquakes in Chile and Haiti in 2010,
the same things occurred where many malicious social engineers developed
websites that were positioned as giving out information on the seismic activity
or the people who were lost. These sites were encoded with malicious code and
hacked people’s computers.
This is
even more evident directly after the death of a movie or music star. Search
engine optimization (SEO) and marketing geniuses will have the search engines
pulling up their stories in a matter of hours. Along with marketers, malicious
social engineers will take advantage of the increased search engine attention
by launching malicious sites that feed off that SEO. Drawing people to these
sites, they harvest information or infect them with viruses.
As a social
engineering auditor, I can use an employee’s emotions to show a company that
even people with seemingly good intentions can trick a company’s employees into
giving access to valuable and business-ruining data.
All these
examples solidify the point that the better a social engineer’s information-gathering
and research-gathering process, the better chance he has at finding some detail
that will increase the chances of a successful pretext.
No comments:
Post a Comment